Mobikwik offers master class in how NOT to respond to a breach; researchers scoff, consumers rage

Things have rapidly escalated in the wake of Mobikwik’s repeated denials that the digital wallet and payments network firm had a massive breach. As DataBreaches.net reported on Sunday, more than 8 TB of data from the firm had been listed for sale on a popular forum, data that allegedly included KYC (Know Your Customer) data on 3.5 million consumers.  And to prove the data were real, the seller created  a portal where MobiKwik customers could input their information to see what MobiKwik had on file about them. Despite the samples provided and confirmation by independent researchers that the data were real, MobiKwik gave DataBreaches.net a statement that there had been no breach, repeating a statement it had made on March 4, when it tried to claim that a “media-crazed researcher” had concocted files but that their systems were secure. That “media-crazed researcher” would be Rajshekhar Rajaharia, who has found and reported a number of leaks and vulnerabilities. Raharia has responsibly notified Indian Cert of issues he finds. And in February, he publicly tweeted about MobiKwik (see thread). And he continued to tweet, trying to get MobiKwik to respond responsibly. For his efforts, he has been threatened legally and maligned. For MobiKwik to try to claim that they are secure and this is all concocted by Rajaharia has drawn derision and anger from members of the public as well as security researchers. DataBreaches.net had immediately written back to MobiKwik to tell them that their claim that this was concocted by media-crazed researchers was not credible. DataBreaches.net had previously tweeted (from @Pogowasright account): So to be clear: you are saying that you checked each record in the sample file and none of them correspond to real customer data or details? And you have no concern about the hacker just dumping the whole file, unredacted, because you say it is fake? Is that accurate? — Dissent Doe, PhD (@PogoWasRight) March 4, 2021 MobiKwik had not responded to that tweet. Nor did they ever respond to this site’s email to them on Sunday telling them that their denials were simply not credible. Things really blew up online, however, after well-known French security researcher Baptiste Robert sarcastically congratulated MobiKwik. Robert, or “Elliot Alderson” as he calls himself on Twitter, has a history of highlighting big breaches and leaks in India that Indian entities have tried to desperately deny. In this case, his tweet as @fs0c131y, now removed because it violated Twitter’s rules by linking to private information, had said, “Probably the largest KYC data leak in history. Congrats Mobikwik. And with that, the Twitter floodgates opened. One consumer tweeted: What the fuck is this @MobiKwik @MobiKwikSWAT How the hell are my all the cards that are linked to my mobikwik account are shown to a certain link ? Shut down your services.#shamemobikwik pic.twitter.com/yN7C1SoPHT — Aanjney Bhardwaj (@bhardwaj_anjney) March 29, 2021 What the fuck is this @MobiKwik @MobiKwikSWAT How the hell are my all the cards that are linked to my mobikwik account are shown to a certain link ? Shut down your services.#shamemobikwik pic.twitter.com/yN7C1SoPHT There have been a flood of other confirmations and angry comments by people who also found their data — real data — exposed, while MobiKwik remains quiet and does not admit what appears obvious to the world. Today, the “media-crazed researcher” (and DataBreaches.net suggests that Raj should consider trademarking that), tweeted that he had also reported a bug to MobiKwik that they had immediately addressed — and then they cheated him by not paying him the bug bounty. My 1st March conversation With #Mobikwik after this serious data breach. I also reported a bug. They denied it too and removed that Bug in the next 1 hour. They saved their 1000 rupee bounty by denying it.#InfoSec #DataLeak #GDPR @sanjg2k1 @fs0c131y @troyhunt pic.twitter.com/pP0VRU0vqC — Rajshekhar Rajaharia (@rajaharia) March 30, 2021 People watching this all unfold should keep in mind that MobiKwik has reportedly been planning for an IPO later this year. The very last thing they need or want right now is a massively expensive and embarrassing data breach that would make investors shy away. Is that what is the explanation — are they denying all this in the hopes that investors will not run away? It is never appropriate to falsely accuse researchers of concocting a breach to try to cover one up.  It is never appropriate to threaten to sue or criminally charge researchers for exposing your security failures and for trying to get you to be accountable to the public. If MobiKwik genuinely believes that there has been no breach, then let them hire a firm like Mandiant to investigate and agree in advance to make the firm’s findings public (as Accellion recently did following their breach). [Updated: it appears that they have indicated that they will hire a firm to investigate.] Troy Hunt, owner of HaveIBeenPwned, sums this one up nicely: Never *ever* behave like @MobiKwik has in this thread from 25 days ago. Try Googling “mobikwik data breach” now… https://t.co/L5E4xc1ey0 — Troy Hunt (@troyhunt) March 29, 2021 So what should happen now? Well, as a consumer advocate, this blogger would recommend that MobiKwik forget about the funding and IPO right now and do the right thing for the 100 million consumers who trusted them with their data. And as to their threats of “strict legal action:” I and others stand with Rajshekhar Rajaharia. I’ve already been threatened — and actually charged in the past — in India for reporting on their leaks and breaches. Indian entities have for too long failed the public by not using reasonable security and then trying to lie their way out of transparent disclosure and mitigation. Trying to chill the speech of researchers and journalists will not serve the Indian public well. For those who wish to know more, follow @rajaharia on Twitter and support his efforts to demand accountability and transparency. Speak up, people.  And if he needs a legal defense fund, pitch in if you can. And for those whoDataBreaches.netRead More